If this is your first visit, be sure to
check out the FAQ by clicking the
link above. You may have to register
before you can post: click the register link above to proceed. To start viewing messages,
select the forum that you want to visit from the selection below.

NMAP 3.48 Tutorial Lesson 2 - More Basics

NMAP v3.48 tutorial lesson 2 of ? rev 1.0 by TheHorse13

PREFACE (Will be repeated at the top of each lesson)
======================
I'd like to start by saying that I will be covering many of the basic functions along with examples and explanations why you would want to use the tool in each scenario. In addition, I will hit on several advanced features for those who are familiar with the tool but not to the point where advanced knowledge of the application is grasped.

I will be borrowing verbage (in some cases) from the developer because I feel that the developer has worded things in such ways that I cannot improve upon. By no means is this a cut & paste tutorial but I would like to make everyone aware that I will be borrowing info where it makes sense.

PREREQUISIT
======================
Read Lesson one – The Basics, found in the Tutorial Forum.

IN THIS LESSON
=====================
This lesson will still be at the beginner level so those who are advanced users, look for later lessons where things like connectionless scans are covered.

We will look at some additional scanning techniques and when to use them. We will focus only on internal scans at this point. We will look at output when you hit firewalls, routers and other devices between you and your target in later lessons.

SUBNET, PORT RANGES AND MULTIPLE HOST SCANS
=====================
In lesson 1, we saw a very basic scan that produced results for a single host. Let’s take that same example and add a small twist. You now have an entire subnet that needs to be scanned to pinpoint all of the machines that have remote control services running. In the organization, PCAnywhere is the only supported remote access solution and you now have to track down those who are not in compliance. Being a vigilant security professional, you immediately grab your trusty NMAP tool and go to work.

NOTE: Some folks are quite crafty and don’t run services on the typical port associated with the service. But for now, we will make two assumptions for this example. First, all remote control services are running on the ports that are typically associated with them.

We will assume that three additional remote control services are running out there. They will be, 1) Terminal Services, 2) VNC and 3) LapLink. The subnet you will scan is a class C network so the network is 192.168.1.0 and the subnet mask is 255.255.255.0

OK, let’s look over what we are doing here.
NMAP – obviously the command
-v – I typically recommend using the verbose switch. If you leave it out, your output will only show the ordered port list and a few less details on scan time responses and other details that may be useful to you.
-sV – Since the default privileged mode scan is sS (SYN Stealth, or half-open scan- a scan where only the SYN flag is sent in the packet) -sV will cause NMAP to communicate with the box to identify the running services that it finds. This feature was added in NMAP-3.48.
-p – Ports can be expressed individually separated by commas, as ranges separated by dashes or a combination such as –p 1547,1567,3300-3350
hosts 192.168.1.0/24 – now, without starting another tutorial subject, subnet masks must be expressed as bits. For example, 255.255.255.0 is a 24 bit mask, 255.255.0.0 is a 16 bit mask, etc. A single host does not require a subnet mask but if you want to be technical, it would be 32 and would work if given as part of the command. You can also use the “*” key like this: -p 192.168.1.* This is the same as 192.168.1.0/24.

Now then, in the interest of post length, I’ll let you play with the multiple host syntax and specific port/port range functionality. You’ll notice that you will get a complete record for each host that is alive and should a host not respond, NMAP will notify you that the host appears to be down and NMAP is skipping it.

One more function that I’d like to cover is the multiple host scan syntax.

Notice that I just added additional host ID numbers separated by commas. NMAP will recognize this as a multiple host scan. You can also use the same idea when scanning a range of hosts.

[haxor@locahost]# NMAP –v –sV -p 1547,5631,3389,5900 192.168.1.10-15

This will tell NMAP to scan the specified ports using the IP range 192.168.1.10 thru 15. You’ll notice that port and host expressions are the same. This makes learning the command line switches a bit easier.

Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

Don\'t SYN us.... We\'ll SYN you..... \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides